Mental & Behavioral Health
Practice Update from the National Association of Social Workers

What Social Workers Should Know about the HIPAA Privacy Regulations

HIPAA Privacy Regulations Timeline

October 29, 1999 — HHS issues proposed regulations with comment period through February 2000. NASW submits extensive comments.

December 28, 2000 — Final privacy regulations issued by HHS.

February 26, 2001 — Bush Administration reopens comment period through March, 2001. NASW submits comments.

April 12, 2001 — President Bush announces that privacy regulations will take effect on April 14, 2001 . President Bush and HHS Secretary Thompson reference the possibility of further modifications to these regulations. HHS has the authority to make changes to the rule prior to the compliance date.

April 14, 2003 — Covered entities must be in compliance with the HIPAA Privacy Regulations by this date. (Small health plans with $5 million or less in annual receipts have until April 14, 2004 ).

What Social Workers Should Know about the HIPAA Privacy Regulations

This practice update is a starting point for discussion and guidance for social workers on the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy regulations and compliance. Given the complexity of the HIPAA privacy regulations and the possibility of modifications, we anticipate future updates that will provide additional information and guidance on specific components of the regulations and any further modifications. NASW recommends that you review this guideline carefully, to determine whether you meet the definition of a "covered entity" under the HIPAA privacy regulations and are subject to complying with the regulations.


The primacy of client privacy and confidentiality has long been a tenet of the social work profession. The nature of our work with clients and our sensitivity to the stigma that often accompanies mental illness and substance abuse issues guides our position. The U.S. Congress recognized the importance of privacy of medical records when the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted during the Clinton administration.

HIPAA authorized Congress to establish uniform privacy standards for health information that is electronically transmitted . Under this law, Congress was required to pass comprehensive health privacy legislation by August 21, 1999 . Congress failed to accomplish this task and thus, responsibility for issuing privacy regulations was transferred to the Secretary of Health and Human Services (HHS) as mandated by HIPAA. In accordance, HHS issued proposed regulations on October 29, 1999 , and allowed for an extended comment period. More than 52,000 comments were received in response to these regulations, including extensive comments submitted by the National Association of Social Workers and individual social workers. The final privacy regulations were issued by HHS just before the completion of President Clinton's term; however, on February 26, 2001 , the Bush Administration reopened the comment period for an additional 30 days. On April 12, 2001 , President Bush announced that the privacy regulations, without changes, would take effect on April 14, 2001 .


The privacy regulations establish that personal health information must be kept confidential. The regulations are designed to safeguard the privacy and confidentiality of a consumer's health information, especially in this age of rapid advances in technology and the subsequent ease with which information can be transmitted. The regulations establish a baseline of patient/client protections by defining the rights of individuals, the administrative obligations of covered entities, and the permitted uses and disclosures of protected health information. State laws that are stronger (that is, provide a greater degree of privacy protection) will continue to stand. In addition, states have the liberty to enact stronger protections in the future.

Compliance Deadline

"Covered entities" have until April 14, 2003 , to implement the HIPAA privacy regulations and come into compliance. Under the regulations, failure to comply can result in civil and criminal penalties for covered entities; however, clients were not accorded the right to sue for violations of the regulation. The controversy and debate over the current regulations have not been put to rest. Recent comments by President Bush and HHS Secretary Tommy Thompson indicate plans to "soften" the regulations and to revisit some of the more controversial components over the next two years. Nevertheless, the clock has started on the two-year window for compliance, and thus health care providers need to determine now whether they meet the definition of a covered entity and what modifications they must make to be in compliance by April 14, 2003 .

Who or what is a "covered entity" under the new regulations?
  • A health care provider who transmits health/behavioral health claims-type information electronically . The definition includes practitioners, such as those in agency or private practice.

Note: Although many social workers currently do not transmit health claims–type information electronically, thus not meeting the definition of a covered entity, it is likely that over the next few years, this will become a standard and expected industry practice. NASW advises members to consider this as they review their status as a covered entity.

  • A health plan— includes HMOs, health insurers, group health plans (except a group plan for an employer with fewer than 50 employees and which is also self-insured).
  • A health care clearinghouse— defined in the rules as "a public or private entity, including a billing service, repricing company, community health management information system or community health information system, and "value-added" networks and switches, that does either of the following functions: (1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction. (2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity."

The HIPAA regulations require that covered entities maintain contracts with their business associates that essentially bind the business associates to the same privacy practices of the covered entities. Business associates are defined as individuals who receive health information from a covered entity or on behalf of a covered entity. Examples include a copy center, a contracted phone answering service, an accountant reviewing books, auditors, quality assurance/utilization review services, or other contracted services that might interact with protected health information.

What information is protected by the privacy regulations? [Protected Health Information]

Protected health information includes information

  • about a person's health, health care, or payment of health care (the term "health" includes mental health and behavioral health issues)
  • that identifies a person
  • created or received by a covered health care plan or provider.

Note : All medical records or other individually identifiable health information held or disclosed by a covered entity in any form (electronically, on paper, or orally) are covered by the final regulation.

How is this information protected?

Protected health information may not be disclosed by a covered entity without the informed and voluntary written consent or authorization of the client. A covered entity is required to obtain a client's consent for use or disclosure of client information for purposes of health care treatment, payment, and operations.   Disclosure must be limited to the minimum amount necessary for the purposes of disclosure, with the exception of transferring records for treatment, when providers need access to the full record to ensure quality care. A client's authorization is required for any other type of disclosure.

Health care providers may condition treatment on obtaining client consent of protected health information for the purposes of treatment, payment, and health care operations. Similarly, health plans and health care clearinghouses also may condition enrollment on the client's provision of a consent to disclose protected health information for the purposes of treatment, payment, and health care operations.

What are the client's rights under these new regulations?
  • Clients have a right to gain access to their medical records. As such, they are entitled to see and copy their records and request amendments. A history of disclosures of protected health information must be made available to clients on their request.
  • Clients have a right to request a restriction on the use and disclosure of their protected health information for the purposes of treatment, payment, or health care
  • operations.
  • Covered entities are required to provide clients with a clear, written explanation of how their protected health information can be used and disclosed.
Administrative Requirement for Covered Entities

Covered entities are required to:

  • designate a privacy official who will develop and implement the privacy policies and procedures of the organization.
  • develop policies and procedures designed to ensure that covered entities are in compliance with the standards and requirements of the privacy rule.
  • maintain a record of all versions of their privacy policies and procedures, along with any complaints filed and disclosures of protected health information, for six years.
  • provide privacy training to the workforce. Staff must be trained by the compliance date ( April 14, 2003 ).
  • develop a system of sanctions for employees who violate the entity's policies.
  • meet documentation requirements.
  • provide written notice of privacy practices in plain English. The notice of privacy practices must include a description of the client's rights; describe anticipated uses and disclosures of information that may be made without authorization (giving at least one example); identify a contact person in the event of a complaint, and inform of the right to register a complaint with the secretary of HHS. This notice must be posted in a visible location, and a written copy must be given to clients at their first visit after the compliance date.
Are there circumstances under which protected health information may be disclosed without a client's consent or authorization?

Yes. There are a number of exceptions under the HIPAA regulations that allow for disclosure of client's protected health information without client consent or authorization. Note, however, that state law requirements may differ or be more protective of the client's protected health information. Some permitted HIPAA disclosures are

  • disclosures required by law
  • permitted disclosures for public health activities (such as reporting diseases, collecting vital statistics, etc)
  • disclosure about victims of abuse, neglect or domestic violence
  • health oversight activities
  • disclosures for judicial or administrative proceedings
  • disclosures for law enforcement purposes
  • use and disclosure for research purposes
  • disclosures to avert a serious threat to health or safety.

The HIPAA regulations are "permissive," which means that these are the circumstances under the regulations in which health care providers are permitted to disclose protected health information without client consent or authorization. However, other laws (such as state privacy and confidentiality regulations) or a professional code of ethics may require providers to proceed in a different manner. Social workers are expected to adhere to their professional code of ethics when determining whether it is necessary or appropriate to make these permitted HIPAA disclosures.

Do the same requirements apply to mental health records and to medical records?

In general, yes; however,

  • "Psychotherapy notes" are accorded special privacy protections under this regulation. Ordinarily, a written client consent is required before psychotherapy notes can be disclosed to anyone.
  • A health plan may not condition a client's enrollment or eligibility on the provision of the client's authorization or consent for disclosure of psychotherapy notes.
  • Psychotherapy notes are excluded from the provision that gives clients the right to see and copy their health information.
How are psychotherapy notes defined?
  • Psychotherapy notes are defined in the regulation as "notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual's medical record ." (emphasis added).
  • Excluded from the definition of psychotherapy notes are medication prescription and monitoring, counseling session start and stop times, modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, treatment plan, symptoms, prognosis, and progress to date.
Are there circumstances under which psychotherapy notes may be disclosed under HIPAA without the client's consent or authorization?

Yes. "Psychotherapy notes may be disclosed without consent or authorization:

  • when needed to defend a lawsuit against the therapist by the individual who is the subject of the notes;
  • to HHS when required for enforcement of the privacy rule;
  • when required by law…;
  • when needed for oversight of the provider who created the notes;
  • to a coroner or medical examiner;
  • when needed to avert a serious and imminent threat to health or safety.

Unlike other health records, psychotherapy notes are not subject to disclosure to individuals." (Litwak, Behavioral Healthcare Tomorrow, April 2001).

Practice Cautions:
  • First, determine if the regulations are applicable.

If yes,

  • Start and maintain a file of information about the privacy regulations.
  • Get a copy of the privacy regulations (see References) and check appropriate Web sites periodically to download updates and implementation guidelines. HHS has indicated that they will develop and issue guidelines on the privacy regulations.
  • Review record keeping policies and procedures including those for psychotherapy notes, if applicable.
  • Set a time frame and establish a plan to meet the basic requirements of the regulations by the compliance date of April 14, 2003 . This plan should include designating a privacy officer, training staff, and revising or developing appropriate consent and authorization forms.
  • Watch for future NASW guidance and continuing education on this issue.

If no,

  • Continue to monitor your status and stay abreast of current developments in the HIPAA regulations. Watch for future NASW guidance, articles, and continuing education on this issue.
Questions and Guidance

Questions about interpretation or application of the regulations can be addressed to HHS directly by calling 1-866-627-7748, 1-866-788-4989 (TTY) or submitting an email to: .

Questions about state law (such as whether a state privacy law is more protective than the federal regulation) should be addressed to the Attorney General for the state in question. Contact information for the State Attorney General's office is available online at: .

On July 6, 2001 , HHS Secretary Thompson issued the first guidance document for the HIPAA Privacy Regulations. This document is the first of several guidance documents that HHS will issue in order to clarify the Privacy Regulations, assist with implementation and address any modifications. This document can be accessed at the HHS Office for Civil Rights web site at under the heading "Technical Assistance".

References & Reading
Standards for Privacy of Individually Identifiable Health Information [Online]. Available: .
Litwak, P. (2001, April). HIPAA privacy rules: What plans, providers must know. Behavioral Healthcare Tomorrow, 10(2), pp. 12, 13, 31-32, 34, 36.
Overview of Privacy Regulations, Health Privacy Project, Institute for Healthcare Research and Policy, Georgetown University [Online]. Available: .
Polowy, C. I. , & Gorenberg, C. (1997, May). Client confidentiality and privileged communications [Law Note]. Washington , DC : National Association of Social Workers, Office of General Counsel. [Copies may be purchased for $5.00 from: NASW Legal Defense Fund, 750 First Street, N.E. , Washington , D.C. 20002 or contact 800-638-8799 ext. 290 for further information.]
Polowy, C. I. , & Kraft, E. G. (1999, February). The social worker and protection of privacy [Law Note]. Washington , DC : National Association of Social Workers, Office of General Counsel. [Copies may be purchased for $5.00 from: NASW Legal Defense Fund, 750 First Street, N.E. , Washington , D.C. 20002 or contact 800-638-8799 ext. 290 for further information.]
National Association of Social Workers. (2000). NASW Code of ethics . Washington , DC : Author. [Copies may be obtained by contacting 800-638-8799 ext. 429 or downloaded from .]
Redhead, C. S. (2001, April 18). Medical records privacy: Questions and answers on the HIPAA final rule (CRS Report for Congress, Order Code RS20500, Updated April 18, 2001 ). Washington , DC : Congressional Research Service, Library of Congress.
The Work Group for the Computerization of Behavioral Health and Human Services Records, 4 Brattle Street, Suite 207, Cambridge, MA 01238. Available: .

Nancy Bateman, LCSW-C, CAC
Senior Staff Associate
Behavioral Healthcare
National Association of Social Workers, 750 First Street, NE • Suite 800, Washington, DC 20002
NASW Member Services 800-742-4089 Mon-Fri 9:00 a.m. - 9:00 p.m. ET or
©2017 National Association of Social Workers. All Rights Reserved.
  • Update Your Profile in the Member Center
  • Login